Interview with Eric Greenberg, author of "Mission-Critical Security Planner: When Hackers Won't Take No for an Answer"
by Mirko Zorz - Friday, 28 February 2003.
I have a number and I'll list them. But as I often note when I speak and in my book, security is not strictly about the best tools. Being proficient in security tools is just one part of being good at security-- in fact, while it's a fascinating and important part, it's a smaller part. Understanding security is about understanding distributed computing technologies in breadth and, where necessary, great depth and how those technologies relate to security. It's an art form, a process, and a mind set. It's about understanding precisely how networks, applications, people, business, information, and infrastructure come together, along with the life cycle management of those things. By analogy, someone can have all the tools of a great car mechanic and know how to use each tool, but can't do much with them if they don't understand the car. So security knowledge of security tools by themselves is not enough. With that said, some of my favorite tools include Snort, NetCat, NMAP, Sam Spade, Protocol Analyzers in general (Ethereal, others), Nessus, dsniff, Tripwire, OpenSSL, PGP, Chkrootkit, and about 1000 other tools!

What operating system(s) do you use and why?

For servers exposed to the Internet, my personal choice is Linux. However, for the NetFrameworks consulting practice, Microsoft Windows server products are of course a marketplace reality and we work to secure that technology, and implement with it, if a client's business needs dictate such a requirement. We work with all of them (Solaris, mainframe operating systems, etc). On the desktop, I run Linux and also Windows. It's difficult to survive today without using Windows on the desktop since it's everywhere. I admit I'm a big Linux fan, but I understand the marketplace role of Microsoft and, on the desktop, their role in the marketplace leaves me with few choices. I do remember the day when I could go to the store and actually choose from several different word processors and operating systems. I miss those days. I wrote Mission Critical Security Planner using a wonderful product, Adobe Framemaker. I then converted at the end to Microsoft Word, as required by the publisher's post-processing tools. Fortunately Wiley accomodated me through that entire process, they allowed me to do that.

How long did it take you to write "Mission-Critical Security Planner: When Hackers Won't Take No for an Answer" and what was it like?

The book took a little over two years to write. Writing a book is a very exciting and somewhat spiritual process for me-- I feel as though writing is something I'm "supposed" to do in this life. At the same time, it's incredibly exhausting. This particular book required a great amount of up-front conceptual forethought. From the beginning, the goal of Mission Critical Security Planner was to make the life of the reader easier. Myself, and Carol Long (the fantastic Wiley executive editor I worked with), kept the pressure on ourselves throughout the writing/editing process, making sure we never forgot that goal. Whenever I wrote anything, we asked ourselves 1) will this make a security person's life easier and how and 2) is this an actionable/workable/usable approach because if it isn't, go back to the drawing board. We set-out to provide a workable, actionable security planning approach. Since no such approach existed (my reason for writing the book), I needed to find answers to problems that didn't exist. I would spend endless hours going over and over various approaches to modelling secure distributed computing and, very importantly, ways of synthesizing that model into something the reader can immediately use. As we applied the principles of Mission Critical Security Planning in our NetFrameworks security consulting work, we went back and refined the book's content to reflect our experiences. We didn't just write about mission critical security planning, we lived it.

If you could start working on the book all over again, what changes would you make?


VPN protocol flaw allows attackers to discover users' true IP address

The team running the Perfect Privacy VPN service has discovered a serious vulnerability that affects all VPN providers that offer port forwarding, and which can be exploited to reveal the real IP address of users.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Nov 30th